A practicing CISO's perspective on managing information security in large enterprises.

Friday, December 26, 2008

Trust, audits, and Bernard Madoff

50 billion dollars lost to a guy with an accountant working out of a basement. Something doesn't make sense. The Madoff scandal is so stunning because we like to think that when something gets big enough it must have a minimum level of legitimacy. How can a huge well respected fund involving some of the world's wealthiest and savviest people be one big house of cards? Didn't someone bothering checking?

Details are scant, and I suspect that there will be a few surprises in the coming months. Some people funneling money to Madoff must have known the consistent returns were too good to be true. They happily collected commissions and figured that as long as there was nothing overtly criminal they had no obligation to dig deeper. But what about the real out-of-pocket victims who will probably never see any real return on their money? Is there something these victims should have or could have done differently?

In information security, we constantly deal with the same issue - how do we trust our business partners? Any decent sized organization has dozens of companies processing their sensitive data. The move to SaaS and the growing acceptance of outsourcing will see the number of partners increase in the coming years. How do companies vet their business partners? Only the largest companies can afford to actually audit their partners. How does a midsize company know whether to trust another company with its critical customer data?

Something went desperately wrong with the vetting process in the case of Bernard Madoff. There are lessons not only for the financial industry but for all risk professionals:

Charismatic charlatans can buy people over. Has always been true and will always be true. Nothing really to be learned here.

Everyone thinks someone else is doing the vetting. Every wealthy famous investor Madoff pulled in made the next salespitch that much easier. After all, wouldn't you trust your money with the person who manages Steven Spielberg's money? There is an exact parallel in the information security world. I have done security vetting on hundreds of external vendors over the years. Invariably, at some point in the conversation, I get the we-are-secure-because-big-famous-company X uses us. The implication of course, is that they have already been vetted by the bigger more famous company so there is nothing to worry about.

People are satisfied with the superficial appearance that everything is OK. A number of European banks that fell victim to Madoff had published in earlier correspondence with clients that Madoff was audited by an SEC approved accountant. Despite the absurdity of such a vast operation being audited by a single guy who was basically working out of his basement, all the investors really wanted was to be able to mark the checkbox for auditing. In information security, consumers very often are only interested in interface security. If it looks secure - if the site is SSL encrypted and there is a security policy that says something about biometric readers at the entrance to server rooms, then everything must be fine.

Too many layers of business partners is the enemy of transparency. Some of Madoff's victims invested with him directly, but many victims had invested in funds that then invested in other funds that eventually invested in Madoff. It's hard to keep an eye on your business partners, but almost impossible to keep an eye on your partner's partners. The lesson for data security? Make sure your outsourcers are not outsourcing your work without your knowledge, and if they do - make sure to apply the same scrutiny to the new partner as the first one.

The Madoff scandal, together with the equally spectacular collapse of America's leading banks, will undoubtedly lead to tighter regulation. I am guessing that there will be very wide reaching implications for information security and risk professionals. Let's stay tuned.